Argentina: the land of tango, "hand of God" Maradona, and, now, location where an employee at the Boston Children's Hopsital lost a laptop with information on over 2,000 people. The laptop computer in question was not protected with laptop encryption software like AlertBoot, triggering a medical data breach.

South American Conference

Why was the laptop is Argentina? It's a long way from Boston, MA. As it turns out, an employee went to a conference in Buenos Aires, and took the laptop. So far, so good.

But, here's the critical follow up question: knowing that your computer is being taken out of the country, why were the contents of that laptop computer not protected with encryption software? Password protection was used, according to several articles, but password-protection is not really protection, as I often note.

Well, it turns out that perhaps the data breach was unexpected -- although, who cannot claim the same for any data breach? -- because, according to bostonglobe.com,

The file, which did not include financial data or Social Security numbers [but did include names, birth dates, diagnoses, and treatment information for 2,159 patients], was not saved to the hard drive but was on the laptop in an e-mail attachment when it was stolen.

"Was not saved to the hard drive, but was on the laptop?" Obviously, someone has a weak grasp on what's going on. If it's on the laptop, it's saved to the hard drive, period; I'll come back to this later. Regardless, it's this passage that leads me to believe that the breach was "unexpected," and why the laptop was not encrypted.

Consider how the breach was triggered: a file with medical data that was sent as an attachment to an email message. It's implied that, otherwise, there is nothing that would have triggered a breach of HIPAA and HITECH regulations. This indicates that the laptop normally does not hold sensitive patient information. If so, it explains why the employee was allowed to take the device out of the country. It also explains why strong disk encryption was not used: there was no reason to. At least, there weren't any obvious ones.

The usual rule of thumb when it comes to data security is to analyze your data security situation, find out your data security needs, and then implement them. So, not encrypting the laptop is, under the circumstances, understandable. Assumptions were made, the situation was analyzed, and it didn't look like encryption was necessary.

But, that's only when things go according to plan. Hence, the other school of thought when it comes to data security: follow the same steps listed above, but also overcompensate when it makes sense to do so. For example, there is a growing body of professionals who'll deploy full disk encryption on any employee laptops, regardless of what the laptop is used for or who it is used by.

The reason? With files shared over the network, and with ad hoc employee role changes, it's impossible to figure out who has what, when, and where. Any assumptions you make at the onset about the contents of a device have to be thrown out the window. What does that leave you with? Disk encryption for the entire computer.

Incidentally, this is why companies ought to be insisting that employees actively use device encryption on their personal smartphones and tablets.

Was Not Saved to the Hard Drive...?

Circling back to my criticism above: when you're announcing a data breach, anything on a laptop is saved to the hard drive. Otherwise, you wouldn't go public with the breach because there wouldn't be a breach.

Perhaps an attempt was being made to differentiate between the physical act of actively saving a file to a hard drive and automatically downloading an attachment, but not opening it. However, to claim that the attachment was not saved to hard drive of the laptop is extremely misleading. For example, let's say the employee at the center of the Children's Hospital data breach used Microsoft Outlook to manage emails, not an unreasonable assumption. Any emails with attachments found in the inbox of Outlook are, by definition, saved to the hard drive.

And saved to the laptop. For goodness sake, the hard drive is where things on the laptop are saved to. If you haven't already grasped on to this factoid, I can see why you wouldn't use proper data security.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.